Re: userid with multiple group

Cathy Arora · ‎10-27-2003

I have to give an access to one of our users to adm privileges and she is already in users group. can i add the same id in another group or have to create new id with different adm group. what is best way to handle this situation and how?
Thanks for help and input.

raj

Umapathy S · ‎10-27-2003

Cathy,
A user can be part of more than one group. But users will be the primary group in your case.
User newgrp command to change the group id temporarily.

HTH,
Umapathy

Arise Awake and Stop NOT till the goal is Reached!

Steven E. Protter · ‎10-27-2003

Fastest way to go:

Sam
Users

Pick the user.

Add secondary groups to the user. Do it carefully with the impact on security in mind.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

A. Clay Stephenson · ‎10-27-2003

You can simply edit the /etc/group file and add the user to additional group. The user's primary group remains the GID in the passwd entry. If you now link /etc/group and /etc/logingroup, the user will not be required to issue a newgrp command but automatically be checked for group membership.

Plan B. Use sudo to give this user access to certain commands.

If it ain't broke, I can fix that.

Cathy Arora · ‎10-27-2003

Thanks for your sugessions.

raj

Cathy Arora · ‎10-27-2003

I used sam to give access to additonal group but when i browse passwd file, I can not see additional group listed there.
Also I was not able to perform as root even I put myself in root group as well.

raj

Rainer von Bongartz · ‎10-27-2003

You will only see the primary group in /etc/passwd.
Take a look at /etc/groups.

Regards
Rainer

He's a real UNIX Man, sitting in his UNIX LAN making all his UNIX plans for nobody ...

Todd McDaniel_1 · ‎10-27-2003

If you added the group instead of changing the group, then the passwd file will only show the primary group.

Look in the /etc/group file for the additional group listing...

grep /etc/group
grep /etc/group

Unix, the other white meat.

Umapathy S · ‎10-27-2003

Cathy,
/etc/passwd contains the primary group id of the user. Userids are associated with the group than the other way round. Comma seperated User ids will be in the /etc/group file.
Check Clay's answer for completeness.

HTH,
Umapathy

Arise Awake and Stop NOT till the goal is Reached!

Sanjay_6 · ‎10-27-2003

Hi Cathy,

If you want your userid to act as root, change your UID in the /etc/passwd file to "0" or if you are using useradd command using the -o -g 0 option with the useradd command.

Hope this helps.

Regds

Cathy Arora · ‎10-27-2003

Thanks very much all.
I can user being added in group file under root. However I was not able to use useradd or other root privilages even I can see my user being added in root group as a secondary group.

Am i missing something?

Thanks again.

raj

A. Clay Stephenson · ‎10-27-2003

Being in group root is not the same as having a UID of zero. Group root only grants you access to some restricted files but it does nothing towards becomiing super-user. That is what setuid() is for.

If it ain't broke, I can fix that.

Umapathy S · ‎10-27-2003

Cathy,
Most of the admin commands need to be run as root. You can create or set your userid to 0 to effect the same. But for security reasons a big no for this.

HTH,
Umapathy

Arise Awake and Stop NOT till the goal is Reached!

Todd McDaniel_1 · ‎10-27-2003

Cathy,

Seems like you need to create a root2 user with a different pasword than you have for root, for this type of functionality or give Restricted SAM to the user who needs it.

I agree with above posters, never give a normal user 0 UID... but better have them su to a root2 account so that you can track it with the /var/adm/sulog.

Im guessing this person is fairly relaible and trustworthy that you can count on them to act responsibly. giving them a root2 account would be a good way of doing what you need OR a restricted SAM for their current user.

Unix, the other white meat.

Cathy Arora · ‎10-27-2003

Thanks all.
Tod root2 senario sounds good.
as far as security tracking is concerned I have another question.
Is there a way to know the information about workstation also from where user is loged from.
I donot mean uname -a.
I would like real machine information (each organization gives a machine some kind of a tag # or name) and if a user telnet from one machine and issue some dangerous operation I would like to track which machine was logged in as root.
I am not sure if tty information has be translated and how or is there another way to track it.
Thanks again.

raj

A. Clay Stephenson · ‎10-27-2003

I would NEVER have more than one user with UID 0. That is simply asking for huge security problems. Once that person acquires UID 0, anything can be done. A much smarter way to give limited admin access to a user is through the sudo command.

http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.6.7p5/

If it ain't broke, I can fix that.

Patrick Wallek · ‎10-27-2003

To see who was logged in from where, you can do a 'last -R' and that will show each user and what machine name or IP address they connected from if they connected via telnet or rlogin.

# last -R root

To see where root logged in from.

I also agree with A. Clay...I do not recommend having more than 1 UID 0 user. If you must allow others to run commands only root can run, look at something like sudo.

Todd McDaniel_1 · ‎10-27-2003

who -a shows all connections.
who -u shows all users logged in.
who -R shows basically the same as who -u does.

You can include in the /etc/profile or CRON job and check for access.

who -u > /var/adm/wholog

or better

who -R |mailx -s "users' Logged in" root

This will be run everytime someone logs into your host. AND cant be messed with b/c it is run as they log in.What Im not sure about is if the /etc/profile is sourced when you su to another user. I know it is sourced when you initially log in.

Also, you might have a CRON to compare /var/adm/sulog to sulog.diff every 15 minutes...

or run a wrapper to check for sulog modification instead of a cron every 15 minutes.

Unix, the other white meat.

Cathy Arora · ‎10-27-2003

Thanks very much for help.

raj

Cathy Arora · ‎10-27-2003

last -R root works, however who -a does not show all users logged as they log in.
I would like this to work for security perpose.

I think there is an issue with sourcing etc/profile. first time login it will do.
I would to get informed via e-mail as somelogs in as root and machine info (last -R root)
any other ideas or readily available scripts.
Once again thanks.

raj

Todd McDaniel_1 · ‎10-27-2003

Create a daemon.

A wrapper file on the /var/adm/sulog will show who uses su command.

For who has logged in recently:

ll -u /etc/profile will provide the last time the /etc/profile was accessed... giving you exact time of user login...

Im a bit busy to write a script for this but you can either do a cron every 5 mins or include it in the wrapper for the /var/adm/sulog

Unix, the other white meat.

Jack Werner · ‎10-28-2003

Cathy,

In our shop we do not allow root to login. Authorized users must su to root to become root. Therefore, the user must have an account on the machine to login. We control this by a group that the authorized administrators belong to. Only users in this group may su to root. Actual security can be managed by root's password. This can be changed periodically (under system control) and only current group members advised of the new password.

i'm retired

Todd McDaniel_1 · ‎10-29-2003

Cathy,

We also don't allow direct root except from the console, as Im sure you also require.

Jack's message reminded me of a security tool that we have loaded. It is called "scfmgr". This tool will email any violations to the specified individual or system mail. It is a part of the Sysguard security software package.

All users with su to root access should be listed in this file or else it generates a system message.

Unix, the other white meat.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: userid with multiple group

userid with multiple group